Tech

Free Rides: The Story of the Smartphone Subway Hackers

Two mobile security researchers discovered that it was possible to hack certain subway cards for free rides. What's worse, they think the trick isn't too hard to reproduce — all they needed was a simple smartphone. However, it's unclear who is to blame for this security hole.

Everything started when Corey Benninger, a mobile security consultant who works for Intrepidus Group, was traveling in San Francisco in 2011. At the time, he and his colleague and friend Max Sobell had started playing around with the Google Nexus S and near field communication (NFC), a wireless technology that allows devices to communicate and exchange data over short distances or through physical response.

As Benninger took the Muni bus in San Francisco, he noticed that their limited-use cards functioned with NFC, allowing commuters to simply place the card on a reader to pay for their rides. He had recently gotten his hands on one of the first NFC-enabled phones, the Nexus S, so he asked himself, "Can I scan that card with it?" The answer was yes.

When Benninger came back to New York, he started working with Sobell to see what they could do with the data accessible just by placing the card on the back of the phone. The Muni ticket they experimented on was a Mifare Ultralight card, a low-end card that used a chip by NXP, a Dutch company that produces a variety of Mifare cards. These contact-less cards can be used for transport tickets, hotel card keys and concert passes, among other applications.

Benninger and Sobell noticed that the bits that corresponded to the remaining trips were not only visible, but could be rewritten. The two, who tell Mashable that they are no "advanced developers by any means," started working on an Android app. Initially, the biggest hurdle was that the Android SDK for developers initially didn't support NFC-powered apps. But once that capability was added to the API, writing the actual app was easy.

"I think we put the first version of the application together in an evening, so it wasn't all that complicated to actually write," says Benninger.

And that means it wouldn't be too hard for some ill-intentioned hacker to build a similar app and ride the subway for free. "I do feel it's something that other people could duplicate fairly easily," Benninger tells Mashable.

The app, called UltraReset, basically resets the empty card, tricking it into thinking there are still trips left.

Collin Mulliner, a postdoctoral researcher who focuses on mobile security and is familiar with the hack, agrees. In a phone interview with Mashable, Mulliner explains that all the two researchers did was take advantage of a "lousy engineered system" using "no fancy equipment" but a regular phone. Before NFC phones like the Nexus S, explains Mulliner, you needed a card reader, a laptop and the appropriate software. It just wasn't worth the trouble. Now? You just need a smartphone with NFC and an app. Then you just "copy and write the data back" because these cards "have no security," he says.

"Those NFC phones are kind of really easy to use," Mulliner says. "So it just lowers the bar for people who want to commit fraud to a very, very low level."

On another trip, this time in New Jersey, the two researchers noticed that the New Jersey PATH train used the same technology. Curious, they tried to use their app with the PATH's Smartlink limited-use card. As they expected, it worked. You can see a video of their experiment below, and the researchers have written a blog post on Intrepidus' website.

Benninger and Sobell contacted both the San Francisco Municipal Transportation Agency and the The Port Authority of New York & New Jersey (PATH) months before releasing their findings to the public, which they did at security conference EUSecWest, held in Amsterdam on Sept. 19. They've also been in touch with both agencies to advise them on remedies and fixes. They didn't want to make life easier for a potential hacker, so they decided not to release the app that resets the card, only the one that allows the user to read the data on the Ultralight Cards. When they informed the two agencies, they said their goal was to make sure they were aware of the issue and could work to fix it, or at least monitor their system to spot potential abuses.

NXP, the manufacturer of the chip, first addressed the issue in a statement released to NFCWorld. Noting that the researchers hacked only Mifare Ultralight cards, the company said that this model "provides only basic security features, such as one-time programmable (OTP) bits and a write-lock feature to prevent rewriting of memory pages, but does not include cryptography," something that newer and safer Mifare cards offer. NXP also stated that a newer model, the Mifare Ultralight C, has been equipped with added security, "anticipating the widespread adoption of NFC-enabled phones and, consequently, possible attack scenarios."

However, Martin Gruber, the senior director of automatic fare collection at NXP's Mifare tells Mashable that the chips present in the tickets is actually built to provide enough security. Problem is, that security was not implemented correctly in these two instances. That's why the hack was so easy to pull off. "How complicated it is to open the door if the door is open and it is unlocked? How difficult it is to steal a car when the door is open and the key is inside?" asks Gruber.

Gruber explains that, as chip manufacturers, all his company can do is provide security features that then need to be implemented by the transport agencies and the ticket distributors who design the whole system. He stresses that the Ultralight chip has enough security to prevent easy attacks like the one Benninger and Sobell did, but for some reason, those features were not used in the Muni and PATH tickets.

Warned by the two researchers, the two transportation agencies involved are working on solutions, but it's unclear who is responsible for the security hole.

John Goodwin, spokesman for the Bay Area Metropolitan Transportation Commission (MTC), tells Mashable that they were aware of the limited-ride cards' vulnerabilities and notes that, at this point, is only a "potential hack." Asked who is responsible for implementing the security that NXP claims their cards are equipped with, Goodwin says the MTC simply buys stocks of cards from their contractor, who is responsible for implementing the entire system. In this case, the contractor is Cubic Transportation Systems, a San Diego-based company, part of defense contractor Cubic Corporation.

Mashable contacted Cubic for comment, but the company, which initially seemed disposed to talk, didn't respond to further calls and emails.

Every day, roughly 700,000 people use the Muni system in the Bay Area. And of those, only 23,000 use a limited-ride card like the one hacked by Benninger and Sobell. In the last few months, the transportation authority has been monitoring the system for abuses, but it only spotted one anomalous transaction. Goodwin didn't have more details about it, but said the next step is to develop tools to detect abuse in real time. Long-term potential solutions, says Goodwin, could involve replacing the card, shortening the validity period and, thus, giving potential hackers less time to take advantage of it, or eliminating limited-ride cards altogether.

The PATH transit authority did not answer our requests for comment but released a statement to ZDNet: "The PATH rail system has not experienced such fraudulent activity on its SmartLink Cards to date, but we are discussing the issue with our card vendor."

This is not the first time serious security flaws in major transportation systems have been exposed. In 2008, three researchers from MIT discovered four major security flaws in the Boston subway and, particularly, in the tickets called CharlieTicket and CharlieCard — another two Mifare subway cards that use NFC technology. The breaches were so serious that, when it was announced that the three students would present their findings at the famous hacker conference Defcon, the Boston transportation authority sued the students and obtained a gag order that prevented their presentation.

Benninger and Sobell warn that their hack doesn't expose the same kind of serious flaws, but it's still an issue that needs to be addressed. And the problem may not be limited to San Francisco and New Jersey. The same Ultralight cards are used all over the world, from Madrid to London to Rio the Janeiro.

Update: an earlier version of this article referred to Collin Mulliner as a "Ph.D student" when, actually, he is not anymore. The article was corrected and now refers to him as a "postdoctoral researcher."

Mashable
is a global, multi-platform media and entertainment company. Powered by its own proprietary technology, Mashable is the go-to source for tech, digital culture and entertainment content for its dedicated and influential audience around the globe.